| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | From 28bf685bfc6d0c744369cdf367f61a78d80d0b01 Mon Sep 17 00:00:00 2001 |
| 2 | From: Michael Niedermayer <michaelni@gmx.at> |
| 3 | Date: Thu, 15 Nov 2012 16:41:28 +0100 |
| 4 | Subject: [PATCH] pgssubdec: check RLE size before copying. Fix out of array |
| 5 | accesses |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | |
| 9 | Commit 28bf685bfc6d0c744369cdf367f61a78d80d0b01 release/1.1 |
| 10 | |
| 11 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind |
| 12 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> |
| 13 | (cherry picked from commit c0d68be555f5858703383040e04fcd6529777061) |
| 14 | --- |
| 15 | libavcodec/pgssubdec.c | 5 +++++ |
| 16 | 1 file changed, 5 insertions(+) |
| 17 | |
| 18 | diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c |
| 19 | index 728f178..26a3c2a 100644 |
| 20 | --- a/gst-libs/ext/libav/libavcodec/pgssubdec.c |
| 21 | +++ b/gst-libs/ext/libav/libavcodec/pgssubdec.c |
| 22 | @@ -202,6 +202,11 @@ static int parse_picture_segment(AVCodec |
| 23 | return -1; |
| 24 | } |
| 25 | |
| 26 | + if (buf_size > rle_bitmap_len) { |
| 27 | + av_log(avctx, AV_LOG_ERROR, "too much RLE data\n"); |
| 28 | + return AVERROR_INVALIDDATA; |
| 29 | + } |
| 30 | + |
| 31 | ctx->picture.w = width; |
| 32 | ctx->picture.h = height; |
| 33 | |
| 34 | -- |